Introduction

So, that's not actually some mega explanation paper about some cool hacker stuff, just a little advisory. I will not explain a lot of code here, because it will be A LOT. This paper is based on my other paper: 3 steps down the stairs, but here we will take a look at Thread Injection inside the Windows native world. So, I will show you a working example of how you can inject a thread from one native application into another, in this case, it will be Session Manager Subsystem. It will be an injection attack against smss.exe.Just a few things for people unfamiliar with all this native stuff. A little quote from Wiki:

The Native API (with capitalized N) is the publicly incompletely documented application programming interface used internally by the Windows NT family of operating systems produced by Microsoft [1]. Most of the Native API calls are implemented in ntoskrnl.exe and are exposed to user mode by ntdll.dll. Some Native API calls are implemented in user mode directly within ntdll.dll.

While most of Microsoft Windows is implemented using the documented and well-defined Windows API, a few components, such as the Client/Server Runtime Subsystem are implemented using the Native API, as they are started early enough in the Windows NT Startup Process that the Windows API is not available yet.

Native Windows API are sometimes used in Win32 applications, rarely in legit apps, mostly in malware. Examining malicious code, you can often observe its usage in the following way:

That's how it is done from the Win32 world. But that's just an example for those of you who don't know much about it or never encounter such. For malware researchers, obvious. Now, to give you an idea about pure native application, I will present here probably the simplest example of it.

So, this application will do just a few useless things: it will print out, during system boot time, on a blue screen a message "Hello from Native ", sleep for 5 seconds and terminate itself. Easy. And now I will show you how this above function can be injected into session manager subsystem. A thread injection is a widely known routine and there is nothing special about it, but I couldn't find anything, describing this technique in native applications on the net, so here we go. All right, straight to the subject my friends, we don't have much time, life is too short...